Tag Archives: non-repudiation

Telecom providers & swaggering vanity

Any business has issues; the one that states that they do not is lying to you. We understand that there is mostly smooth sailing, that there are bumps in the road and that things are not always on track. We have all seen them; we might have all seen them near our desks. It is a reality, if a lumberjack is working, there will be wood chips, such is life. So when we see the Telstra ‘purpose & values’, we see: “The telecommunications industry is experiencing enormous growth; network traffic is growing faster than any other period of time and digital technology is changing our world. Telstra is at the heart of this change—and we’re helping make it happen by connecting everything to everyone“. That might be true, yet when you price yourself out of a market, there tend to be consequences.

So when the Business Insider gives us merely 2 days ago: “It looked like there were national problems with the Telstra network again today, but the Telco says no” (at https://www.businessinsider.com.au/telstra-is-down-nationally-2018-6), we see a troubling setting. So the quote “The Telstra network appeared to have another national meltdown, with services in most of the major capitals disrupted in the first half of Tuesday, but the company denies there were any problems with its mobile network.“, concessions on social media were made and the services were back up in the afternoon. Yet the damage was done. Not the fault, the disruption or the faulty service. The fact that Telstra was in denial is the issue. So when we also see: “Telstra said there was no issue for Telstra customers and the Telco’s 3G and 4G networks. “There was a vendor platform issue that impacted mobile virtual network operating services for a small number of wholesale customers,” a spokesperson said“, we see the issue that Telstra has moved on through carefully phrased denials. It is a tactic to use, it is however the wrong tactic, because it takes away trust and Telstra did not have that much left to begin with. One source gives another view entirely; it is the view that makes CEO Andy Penn too confused for his own good and the health of the company. In regards to the question that ABC host Leigh Sales asked, which was: “How can shedding 8000 jobs, not make your service worse?“, the response “Mr Penn deflected the question and talked about the complexity of a Telco network and the inevitability of network interruptions when dealing with such sprawling physical technology assets and software. After the host tried once more to ask the question, the Telstra boss steered clear of the jobs losses and moved the conversation back towards his message of increased simplicity for customers“, we merely see the fact that Telstra is playing a dangerous game of stupidity. Deflection is bad and shares will get slammed (and they did). You see, the proper answer (or better stated a proper answer) would be: “As we are moving to a flatter organisation, management is now directly in touch with the workforce, management will get the full scope of issues in their area of responsibility. There is no longer a delay of information trickling on the path of 2-3 managers deciding where what goes, the buck stops with the manager in charge. Basically the lower managers get more responsibility and as they resolve the issues also a much better reward. The direct exposure to issues and answering the questions of staff members and consumers will lead to a much better understanding and also decrees the timeline of issues and questions requiring a resolution“. You see?  I resolved that question, I gave an answer, I exceeded the expectation of the current customer base and I did not deflect. So perhaps I might be the better CEO Andy? Now, we can add that this is a work in progress and as any company needs to adjust settings; with a flat organisation structure it is much more direct and easier to adjust. So yesterday’s interview, published today, I merely required seconds to set the stage in a more positive way. Yet Telstra has more issues. Their mobile plans are still horrendously expensive; in some cases placed like Optus will offer 20 times the data at the same price and that was merely a month ago. So Telstra needs to realise that unless they truly become competitive with some of their competitors. In addition when we look at IT News, we see (at https://www.itnews.com.au/news/telstra-completely-changes-how-it-sells-enterprise-services-494853) the issues that some expect. Issues like ‘Confirms it took ‘too long’ to revamp enterprise core’, yet the revamping is not the issue, actually it is as there was no ‘real’ revamping, merely adjust the tailoring to fit other elements (as I personally see it). You see, the danger offered through: ““It is the ability to provide fixed voice, unified communications and messaging with add-ons for mobile and applications on a per seat pricing basis for our midmarket customers. “It will be all digital.” It will be ordered in minutes, provisioned in minutes to hours, and everything will be billed electronically with the ability for the customer to flex up and down in volume in real time. This is what I call the folly setting. It starts with ‘our midmarket customers‘, which translate to ‘corporations and those with money’, which is fair enough, yet the economy is still in a place where the cost of living is way too high. The rest is merely a statement of ‘buy on our website or through a phone app’; there will be no negotiating, no personal touch, not a warm touch to any of it. Merely a ‘buy this by clicking or go somewhere else’. You can rephrase it again and again, but that is where it is heading and the people have no real high regard for an automated Telstra, so that will hammer the share prices for at least an additional 2%-3% in a negative direction. So as more and more people go towards the ‘Yes’ oriented Optus stores, we see that in some places Telstra is setting up movable selling points (Westfield Burwood), yet in the direct cold light of day, it is not merely a transforming business, it is the setting where Telstra looks less appealing than before. That requires addressing and Andy Penn did not go the right way about it from the beginning, yet in the setting we now see it, it is even less appealing than ever before.

It goes further than all this, a mere 3 hours ago, ABC gives us ‘Is this really the end of Telstra’s ‘confusopoly’?‘ (at http://www.abc.net.au/news/2018-06-21/telstra-what-is-in-it-for-customers/9891076), there we see: “Andy Penn says the job losses will largely come from management so presumably consumer-facing staff will remain”, so why is Andy Capp hiding behind ‘presumably‘?

 

 

 

 

The AFR takes it in another direction. There we see ‘Telstra’s strategy is all about killing Optus, Vodafone and TPG‘. So (at https://www.afr.com/brand/chanticleer/telstras-strategy-is-all-about-killing-optus-vodafone-and-tpg-20180620-h11mtt), we see ” competitors are clearly going to be most obvious victims of his 2022 strategy, which prioritises mobile above everything else in Telstra’s sprawling portfolio of businesses”, yet with the website as it is and the announced 5G rumours that are nowhere near 5G we wonder how much trouble they are in. so even as we see the boastful “Telstra’s mobile business currently earns about $4 billion a year on revenue of $10 billion“, it will have little effect until the data offered is a hell of a lot higher than they currently offer. It might have been a good moment of timing for me, I ended up with twice the data ant half the price. The largest population really cares about a deal that is 75% better and that is not merely me, it includes well over 60% of all households and pretty much 99.43% of all students. Even if Telstra proclaims that they only care about midmarkets, the shareholders will not understand how they lost out on millions of customers and that change is not reflected in anything we heard. It does not stop there. With the setting of the quote “Telstra said on Wednesday that the number of Australian households with no fixed broadband service is between 10 and 15 per cent. It expects this to rise to 25 to 30 per cent as 5G is rolled out around the country“, we see that Telstra is to lose out on more markets. The shear fact that Vodafone figured out in the EU is an optional gain of momentum for Vodafone, yet the hybrid options that Telstra failed to see could cost them even more in the 2020-2024 period. In addition, when we see “Penn’s decision to adopt an aggressive roll out strategy for 5G plays into the established trend of greater use of mobile networks relative to fixed line, much of which is driven by the widespread frustration caused by the poor performance of the NBN Co”, considering the part I discussed yesterday in ‘Telstra, NATO and the USA’ (at https://lawlordtobe.com/2018/06/20/telstra-nato-and-the-usa/) alerted us to a previous stunt played with 3.7G, yet the setting is reflective here. In part it is expected to be merely temporary. So when we see on the Telstra site “Verizon and Ericsson recently decided to test the 5G network on a moving target — a car being driven around a racetrack — and were able to record a 6.4gb/s connection”, now I get it. It is a test setting yet the speed is still off by almost 40%, which is not good. It is better than what we have now, but getting out in front before the technology is truly ready is very dangerous. In addition CNet had another issue that also reflects in Australia, as well as a league of other nations. With “Cybersecurity for 5G networks had been a top priority for the previous FCC under Tom Wheeler, a Democrat appointed by President Barack Obama. But the current Republican-led agency believes the FCC should not have authority to ensure wireless providers are building secure networks. “This correctly diagnoses a real problem. There is a worldwide race to lead in 5G and other nations are poised to win,” FCC commissioner Jessica Rosenworcel, a Democrat, noted in her statement. “But the remedy proposed here really misses the mark.”

You see, I have been writing for the longest time on the benefits and powers that 5G will give on a whole new range of options, yet the overly non-repudiation ignorance in Telecom town is staggering. Their view is almost on par where the NSA decides to set the admin rights to the guest account and leave the password blank. The dangers that people will face on that level cannot be comprehended. The moment the ball is dropped, the damage to people will be beyond comprehension. It boils down to Cambridge Analytica times 50, with all privacy set to public reading. The business will love the amount the amount of data; the people will be less enthusiastic as their consumer rights and needs are no longer in stock with any shop using the internet for sales. I raised issues on that field in March 2017 (at https://lawlordtobe.com/2017/03/13/the-spotlight-on-exploiters/), yet that was merely the lowest setting. At that point, the Guardian (the writer that is) raised: “The mass connectivity it allows for will also help expand the so-called internet of things (IoT), in which everyday appliances and devices wirelessly connect to the internet and each other“. Yet, this is in equal measure the danger. You see as Telstra gave visibility to ‘Lessons from CES 2018: everything is connected‘ (at https://exchange.telstra.com.au/after-ces-2018-everything-in-tech-is-connected/) and Huawei is giving us ‘Huawei Connect 2018: Activate Intelligence’ (at http://www.huawei.com/en/press-events/events/huaweiconnect2018), they will likely all miss out on giving proper light to non-repudiation. It needs to be the cornerstone, yet for now there seems to be the global ‘understanding’ that someone is working on it, or that ‘block chain solves it’ and a few other hype responses that merely are deflections of a situation not understood and even less properly attended to. To better understand it, I found a promising paper (at https://arxiv.org/pdf/1708.04027.pdf) from Mohamed Amine Ferrag, Leandros Maglaras, Antonios Argyriou, Dimitrios Kosmanos, and Helge Janicke. In the conclusion we see: “Based on the vision for the next generation of connectivity, we proposed six open directions for future research about authentication and privacy-preserving schemes, namely, Fog paradigm-based 5G radio access network, 5G small cell-based smart grids, SDN/NFV-based architecture in 5G scenarios, dataset for intrusion detection in 5G scenarios, UAV systems in 5G environment, and 5G small cell-based vehicular crowd sensing“, which gets us to the real setting that this part is still some time ahead and even as telecoms are rushing to get 5G first to get the better market share, it appears that the players have no clue on the time they will lose by not properly investigating and setting the steps to get non-repudiation on the proper path, it will be seen the moment some CEO decided to listen to marketing and give a first roll out of 5G, whilst not listening to support as they are a cost and not an asset. At that point the situation will unfold where the clever hacker ends up having an optional access to 100% of the available data on several floors and at that point the people attached to any of that will have lost whatever choice they had in the first place regarding their privacy, their accounts and their data. It had all been denied to them.

This was seen in the Economist last year where we saw: “The flaw lies largely with the weakest link: the phone system and the humans who run it. Mr Mckesson and the bitcoin victim, for example, suffered at the hands of attackers who fooled phone-company employees into re-routing the victim’s phone number to a device in the attacker’s possession“. You see this is not about non-repudiation, it is about authentication and that is not the same. There is a whole league of issues and in part because the solution is still not a true given, it is in its initial stage and even as we accept that non-repudiation is sometimes essential, it is not always essential, there is a larger issue on where and when it is needed and it cannot be when the user decides because roughly 92.556% is too ignorant on the subject. The impact on a personal life can be too far stretched and that is where the problem starts. Telstra fails here, in their Cyber security White paper 2017 it comes up once and there we see: “Transaction approval should satisfy certain characteristics – including but not limited to integrity, non-repudiation and separation of duties“, that is it! In a ‘Cyber Security White Paper‘ that give s on the front page ‘Managing risk in a digital world‘, non-repudiation needs to have a much higher priority and in a 52 page paper that gives ‘acknowledgements’ all kinds of high priced firms mentioned in the end, with the ending of “We can assist your organisation to manage risk and meet your security requirements“, so what happens when customers want clear answers on non-repudiation? What is currently in play and available?

The non-acknowledgment that even, if not practised in 2017, or 2016, might be fine, this is about what comes next? That part we see on page 45 with ‘The increased adoption of incident response drives the growth of the after breach market‘ and “In Australia, the highest usage for emerging security solutions is in ‘incident response’, and Cloud Access Security Brokers (CASB) are used the most in Asia. 47 per cent of organisations surveyed in Australia and 55 per cent in Asia have adopted ‘incident response’ toolsets or services“, as well as “announcement of legislation around mandatory data breach notification by the Australian Government“, so how long until non-repudiation makes it to the main focal area? I reckon one incident too late, at that time Telstra becomes a ‘responsive telecom‘ nothing pro-active about it. When the first victim comes and the 99% realises that there is no actual non-repudiation properly in place, how many will remain with Telstra? And it is not merely them, a much larger global Telecom provider pool has that same flaw, the one who did think ahead will be gaining exponential growth the day after someone got hit and we have seen the growth of non-repudiation need for almost 4-5 years, so it is not coming out of the blue.

So, when we see the sales pitch called executive summary in the beginning, the mention of “That organisations are prepared to take such acknowledged risks speaks to the urgency of their move to cloud services“. So is non-repudiation addressed there? and the start of that page with “Organisations and individuals are dealing with new security and business opportunities, many of which are fuelled by mobility,” which of these sides are giving in that you and only you bought the 50,000,000 shares at $29.04 and the loss of 63.223% (roughly) we saw in the 45 seconds after that. At that point, or a boss that you and only you bought them, would that perhaps be good, bad, or perhaps was blaming a hacker the solution?

so in that report, where we saw ‘Mobile malware‘, ‘Advanced Persistent Threats‘ and ‘Web and application vulnerabilities‘; When we realise that the report gives us ‘Number of days compromise went undiscovered (median)‘ with the average value of 520 days (almost 18 months), would the flag that ‘not an employee’ had access helped perhaps in finding it sooner than 18 months?

It all read like a cloud sales paper as security is less complex. It does not solve the non-repudiation issue which would soon be at the footsteps of telecom companies and as they are in denial (for too long that something needs to be done, whomever solves it, that will be the winner of the 5G race and they will gain the 5G business from those claiming to have any non-repudiation and those who did not bother. It is not sexy, it is not limelight, but it will be the cornerstone of personal and corporate safety lot sooner than most people realise.

It all matters because flattening the organisation means that there is either space provision for that branch of security or it falls in the gaps and is forgotten until too late. Andy Penn can deflect all he can at that point (or his successor), but at that point the impact of such an event will be too devastating to respond to or correct for.

The issue remains complex, and if people remember the issues I have with Microsoft, will also accept the part I now give them, because one quote on this from Microsoft is bang on: “Can we say we have non-repudiation by putting a check in a box on a certificate template? Absolutely not, we must first jump through many hoops to be sure that only the owner of a private key associated with the certificate ever has access to it. This involves many controls, policies, procedures and security practices, some of which are listed above“, it is a much harder field, but an essential one and even as financial services are eager to embrace it, data handlers need to start doing this too.

We need to acknowledge that: ‘authentication is easy, non-repudiation is hard‘, and as 5G, automation and cloud systems evolve, the legal need for non-repudiation grows almost exponentially for every day that the three are active in a corporate and personal environment. Those who ignored that essential need end up having no legal foothold on any claim whatsoever. In my mind companies who ignored it will lose their IP and most legal options to get it back the moment it gets downloaded to another place. That IP will soon thereafter be owned by someone else, or it ends up in public domain where anyone can use it free of charge, both are nightmare scenarios for any firm relying on IP.

 

Advertisements

Leave a comment

Filed under Finance, IT, Law, Science

Authentically Realistic

Whilst we see many sources talk about the need of blaming North Korea, we see an abundance of changes that are now not just changing the way we think, but these changes will also change the way we live and act. As we are soon to be lulled into more false sense of security, we must now content with the thought, what is real and what is not.

In IT these issues have existed on several layers for a long time, yet the overall lack of Common Cyber Sense has been absent for a massive amount of time. Bradley Edward Manning, now known as Chelsea Manning is only one of several parts of this puzzle. Wikileaks has added its own levels of damage and let us not forget the acts of Julian Assange and Edward Snowden. This is not on how things were done; it is about a lack of proper measures and controls. In the age of people screaming that they have a right to know, they will publish whatever they can for the need of ego and then scream on how the government is abusing their right to privacy.

These are all elements that link back to ‘Common Cyber Sense’.

CCS as I call it has in its foundations a few branches. The first is proper use and knowledge. Many still laugh and sneer at manuals and proper use of equipment, yet when other people started to ‘look’ through their webcams on laptops into their privacy, smiles disappeared quickly. We live in an age where everything is set around the fake image of comfort, it is fake because comfort at the expense of security is never comfort, it is just an added level of danger into your own life. At this point people forget that what is set into software, can usually be switched on and off at the leisure of a skilled ‘someone else’.

Buying what is cheap and what is right are worlds apart, that part is more and more a given fact. The bulk of people are lulled into ignoration when it comes to a simple easy tool that can be used everywhere, at which time they forget to ask ‘by everyone?’. Consider the HP laptop (one of many brands) has a build in webcam at the top of the screen, instead of relying on a software switch, these makers could have added a little slide that covers the lens, literally a low-tech solution making the lens see nothing, as far as I can tell, no one took that precaution for the safety and security of the consumer, is that not nice?

The second branch is access. If I got $.50 for every person that uses their name, ‘qwerty’ or ‘password’ or even ‘abc123’ for their login, I could buy a small Island like Hawaii or New Zealand, probably even both. Even though many websites and systems demand stronger passwords, there is always that bright person who uses the same password for every site. This is part of a larger problem, but let’s move on for now.

Third is the connection branch, places where we can ALWAYS connect! You think that not having passwords on your home Wi-Fi makes you safe? Wrong! You could add loads of problems on every device that connects to it by not properly setting things up. I wonder if those with an automotive router have considered the dangers of not setting it up properly and letting all the people they pass access to whatever is connected to it in the car.

The fourth branch is for the unknown. This might seem like a weird option, but consider how fast movable technology is growing, I am using ‘movable’ and not mobile, because this changing field includes phones, laptops, PDA’s, tablets and other not yet defined devices (like the apple watch, handheld game systems and consoles).

At the centre of all this is proper usage, but not just your hardware, it also includes your software, a fact many have remained oblivious to.

At this point, I will take a temporary sidestep and let you consider the following term ‘non-repudiation’.

Non-repudiation is about identity and authentication. Basically it states, ‘you and you alone‘ have sent this item (message, photo, financial transfer). In legal reasoning this will be the strong shift that will most likely hit many people in 2016 and onwards, it could hit you this year, but there are more than just a few issues with this situation for the immediate now. So when you lose your money and you state you were hacked, then you might soon have to prove it, which means that any evidence that you EVER gave your password or pin-code to a spouse, lover, boy/girl friend or sibling means that you nullified your rights. You get to pay for the consequences of THEIR acts at that point.

So when we see biometrics, we think fingerprint, we expect to be a lot safer. WRONG! Only last month did a group in Germany show how they recreated the finger print of the German Defence minister from simple digital photos, which means that this could have given them access to a whole collection of items, events and information they should not have gotten access to. So what to do? Well, that market is growing really fast. ‘Vein’ is the latest. It does not rely on fingerprint, but on the veins in a finger or hand, it is just as unique as a fingerprint, it is a 3d issue, making it even more secure and it requires an actual living hand. It also will lack the dangers of influence that a retinal scan has when a woman gets pregnant, or in case of a diabetes patient or alcohol levels. These all can shift retinal scans, with the added problem that this person stays outside the lock, becoming the valid person ‘no-more’. Yet, ‘Vein’ is still a new technology and not currently (or in the near future) available for movable devices, which gives us the issue on what devices are actually decently secure.

Let’s not forget, that even though this is not an immediate issue, the people will need to change their possible ‘lacking’ approach with more than just slow muffled interest, whilst they rely on the comfort of not having to comprehend the technology. That part is still not completely disregarded in several cases, the issue at Sony being likely the most visible one for some time to come. There is still a massive amount of actual intelligence missing. Most speculate, including me (yet I have been looking at these speculators and claimers of facts). Whilst Sony is visible, there are still unanswered issues regarding the NSA and how a place like that had the implied intrusion Edward Snowden claimed to have made.

Now let us take a step back to the four branches. I showed the webcam issue in the first branch, but the lack of consideration by the user is often a bigger problem. You see, many ‘lock’ their device, or just walk away and switch their screen off. Their computer remains connected and remains accessible to whoever is looking for a place to hack. I know that waiting 45 seconds is a bother at times, but learn to shut down your computer. A system that is switched off cannot get hacked, the same applies to your router (which actually has the added benefit of letting your adapter cool down, making the device last longer) and your overall electricity bill goes down too, all these benefits, all neglected for the fake comfort of accessing your social media the second you come home. Yet proper usage also includes software upgrades. Many do them, but more often than not, they tend to be made when the system reboots, when this is not done (or the software upgrades are not made) your system becomes increasingly at risk for intrusions of all kinds. Windows 7, which is a lot better than either Vista or Windows 8, still required 84 patches in 2014. With over half a dozen being either critical or important, you see why even in the best of times, under all conditions met, you still run some risk. And this is just Windows; in 2013 they had to fix 47 vulnerabilities regarding Outlook, explorer and the Windows kernel. There was a massive issue with remote execution, which means that your system was open to the outside without the need for a login (source: PCWorld). Now, to their defence, Windows and office are massive programs, but still, it seems that Microsoft (not just them) have taken a strong stride towards ‘comfort’ whilst ignoring ‘safety’ (to some extent).

Branch two is usually the biggest flaw. Even though many websites will require a decent level of strength (usage of small and capital letters, numbers and a special character), but that list is still way too small. The amount of people that I have met that use the lamest of simple words (like ‘abc123’) and these people cry the loudest when their money is gone. You see, it is easier to just hack your computer or device and use that system to order online via other means then it is to hack into your bank account. Yes, it is a bother (at times) to remember every password, yet in that regard you could be clever about it too. There is nothing stopping you from creating variations on a password whilst making sure it is a completely different one. I learned that someone had used her dictionary app to use a version of word of the day, she changed ‘adscititious’ into something like ‘Adsc1t!tious’. Good luck figuring that one out! (I had to look up the word in all honesty), the options become even more interesting if you speak additional languages. So, branch two is something that you the user largely control.

Branch three is actually the growing danger. It is not just when we connect, but when things connect automatically that becomes an issue (and where from). Insurance companies are more and more about your visibility, even though no official moves have been made, the day that junior uploads that catch of the day to his Facebook with dad in the background. That is the option for the members from the ‘institute of discrete entry and removal operations’ to help you with your old stuff (the missing items when you get home). The information you ‘give’ when you connect (especially on free Wi-Fi places), you see, when you connect to free Wi-Fi, more than one danger exists that others can connect to you, yes, you could learn that free Wi-Fi was the most expensive part of your vacation soon thereafter. It however moves more and more to your area of usage. As we get more connections and as we can connect from more places (like the automotive router), we will receive additional responsibilities in setting devices up properly for our safety and the safety of our children.

Now, to take a second sidestep. This is not about scaring you (a nice benefit for sure), some of these things can be prevented from point zero. Knowing what you switch off, switching off when not used are first easy and elemental steps. You see, a hacker looks for a place to get into, when your computer and router are switched off, the hacker will not spot these devices at all and move on. Hackers do not like to waste time, so when you use proper passwords, that same hacker will lose a lot of time getting access to your devices, time he could be having ‘fun’, so these two elements are already diminishing the chance of you getting transgressed upon. But in the end, there is another side. Makers of hardware and software need to become increasingly aware that their ‘toys’ have malicious usage. It was Geek.com that had the article ‘Yes, Xbox One Kinect can see you through your clothes‘ (at http://www.geek.com/games/yes-xbox-one-kinect-can-see-you-through-your-clothes-1576752/), which gives an interesting demo (without showing off anything indecent) how defined and articulate the scan system worked and it is a hackable solution, even there we see the mention that a lens cover would not have been a bad idea.

Yet we have digressed away from the heart of the matter. All these are linked, but the crown in the hardware is an increasing need for non-repudiation, showing that you and only you acted. A lack of this evidence could also go a long way in proving that you were innocent and that you were the victim. It is easy to claim that the makers are at fault and to some degree they are, but there is a growing need to have the right solution, and so far having any clean solution remains absent, whomever comes up with that could own the cornerstone of the global technology sector, an area that represents a massive amount of long term revenue.

 

Leave a comment

Filed under IT, Law